Method and device for securing a portal in a computer system

ABSTRACT

A problem posed by the present invention relates to the modification of an existing company directory in a computer system during the securing of said system.  
     The present invention offers a device and a method for handling security in a computer system ( 1 ) comprising an existing organizational directory ( 10 ). Upon reception of an access request from an entity ( 8 ) to a server machine ( 6 ) of the system ( 1 ), the device creates or searches in a security directory ( 13 ) for security data attached to said entity ( 8 ), without modifying the data of the existing directory.

[0001] The present invention concerns a method and a device for securing a portal in a computer system, using but not modifying an existing organizational directory.

Prior Art

[0002] The computer systems of entities such as businesses, universities, public administrations, etc., very often include a directory that defines physical persons, groups of people, organizational units or other elements belonging to this entity. The directory lists a designation of said persons, a location, a role within said entity and/or any other characteristics.

[0003] More and more, companies wishing to secure their computer systems, and particularly their employees' use of the Web or of a particular network of machines to access said system.

[0004] The current devices offered for securing computer systems require the existing directory to be modified so that security data can be added to it. The installation of a security device in a computer system very often requires a complete and painstaking analysis of the existing directory as well as a redefinition of the users and their organization in said directory. The installation of the security device is costly in terms of both time and money.

[0005] Moreover, the modeling of the security influences the configuration of the computer system, and particularly the existing directory; reinforced security mechanisms for the directory itself must be added. The range of utilization of said directory by the users is consequently reduced.

[0006] One problem posed by the present invention relates to the modification of the existing directory of a computer system during the securing of said system.

[0007] One object of the present invention consists of handling the security of a computer system while maintaining the existing organizational directory of said system.

[0008] Another object of the present invention consists of installing a security device into a computer system automatically without affecting the components of the system, i.e., to offer a “plug & play” automatic installation solution.

SUMMARY OF THE INVENTION

[0009] In this context, the present invention offers a method for securing a system comprising at least one client machine and at least one server machine, wherein an existing organizational directory lists an entity by means of a unique designation, characterized in that it consists of creating a security directory in which security data are stored and/or, upon reception of a request from an entity via a server machine, of searching in said security directory for the security data related to said request and said entity, using the unique designation of said entity found in the directory.

[0010] The present invention also concerns the system for implementing said method, applications of said method, and the program that implements said method.

PRESENTATION OF THE FIGURES

[0011] Other characteristics and advantages of the invention will become clear in light of the following description, given as an illustrative and non-limiting example of the present invention, in reference to the attached drawings in which:

[0012]FIG. 1 is a schematic view of an embodiment of the system according to the invention;

[0013]FIG. 2 represents an exemplary existing organizational directory of the system represented in FIG. 1;

[0014]FIG. 3 is a first exemplary arrangement of security data in the system according to the present invention represented in FIG. 1;

[0015]FIG. 4 is a second exemplary arrangement of security data in the system according to the present invention represented in FIG. 1.

DESCRIPTION OF AN EMBODIMENT OFTHE INVENTION

[0016] The computer system can be a system whose environment is distributed or local.

[0017] As shown in the embodiment of the system according to the invention illustrated in FIG. 1, the system 1 is distributed and composed of machines 2 a, 2 b, 2 c, 2 d, 2 e, 2 f, 2 g, 2 h organized into one or more networks 3. A machine 2 is a very broad conceptual unit that includes both hardware and software. The machines can be very diverse, such as for example workstations, servers, routers, specialized machines, telephones or gateways between machines. Only the components of the machines 2 of the system 1 that are characteristic of the present invention will be described, the other components being known to one skilled in the art.

[0018] As shown in FIG. 1, in the present invention, the system 1 is a computer system comprising at least one machine 2 a called a client machine 4, at least one security machine 2 b called a security gateway 5, and at least one machine 2 c called a server machine 6. The security gateway 5 is accessible via the client 4 and server 6 machines; it is placed between these two machines in order to intercept and process all the requests issuing from the client machines 4 and addressed to the server machines 6.

[0019] The system 1 comprises resource machines 2 d called resources 7 that the client machines 4 wish to access at the request of calling entities 8. The resources 7 are accessible via the server machine 6 and are managed by said machine.

[0020] The system 1 includes storage means 9 and means for handling accesses to an organizational directory 10 in which the entities 8 of the system 1 are listed and stored. In the embodiment illustrated in FIGS. 1 through 3, the storage means 9 comprise a disk in a machine 2 e, the machine 2 e being connected to the gateway 5. According to another embodiment, the storage means 9 comprise a memory in the security gateway 5. In the embodiment illustrated, the calling entities 8 are users (physical persons) of the system; the users 8 are arranged in the directory 10 based on their geographical location, as shown in FIG. 2. Thus, for example, the user Marc Dupont is located in Lille, in France.

[0021] The gateway 5 accesses the organizational directory 10 using the LDAP protocol (Lightweight Directory Access Protocol) or any equivalent protocol. A protocol equivalent to the LDAP protocol is a protocol for which the accessed directory has similar characteristics.

[0022] The characteristics of the LDAP protocol or an equivalent protocol are as follows:

[0023] the data are stored in storage units;

[0024] the data are organized so as to be accessible during a creation, a search, a modification or a deletion;

[0025] a storage unit is identified in a unique way by means of an identifier or a name or the like.

[0026] In detail, for the example illustrated, the characteristics of a directory accessed using LDAP are as follows:

[0027] The data are organized hierarchically. “Branches” derive from a single “root” (France in FIG. 2). Each “node” can have either other branches, or “leaves.”

[0028] The unit of storage is called an “LDAP entry” 11. The LDAP entry 11 is either a node or a leaf. In FIG. 2, an LDAP entry 11 is represented by a rectangle.

[0029] An LDAP entry is associated with a certain amount of information that is specific to it; this information is called the “attributes” of the entry. The directory contains an attribute identifying each user in a unique way: the unique identifier. The unique identifier corresponds, in the example illustrated, to the first letter of the first name joined to the last name of the user 8: MDupont for Marc Dupont.

[0030] An entry 11 is unambiguously identified by means of a unique name called the dn (distinguished name). The dn of Marc Dupont in FIG. 2 is as follows:

[0031] Dn=Marc.Dupont/Lille/France

[0032] The unique name depends on the organization of the directory. If the organization changes (the subsidiary Lille disappears), the unique name of the entry concerning, for example, Marc Dupont, changes:

[0033] Dn=Marc.Dupont/Paris/France. On the other hand, the unique identifier of Marc Dupont remains unchanged: MDupont.

[0034] The system 1 includes storage means 12 and means for handling access to a security directory 13. In the embodiment illustrated in FIGS. 1 through 3, the storage means 12 comprise a disk in a machine 2 f, the machine 2 f being connected to the gateway 5. According to another embodiment, the storage means 12 comprise a memory in the security gateway 5.

[0035] According to another embodiment, the storage means 12 correspond to the storage means 9. The security data are stored on the same physical medium as the existing data concerning the entities 8. The security data are logically separated from the existing data. For example, the security data are all located in a single branch attached to the existing directory. No matter what physical medium and logical form are used, the data are said to be stored in the security directory 13, it being understood that the security directory can take the form of a branch attached to the existing directory on the same physical medium.

[0036] The security directory 13 in the embodiment illustrated is accessed using LDAP.

[0037] In the embodiment illustrated in FIG. 3, the information collected in the security directory 13 is:

[0038] one or more pieces of information for mapping between addresses on the Web, called URLs (Uniform Resource Locators), requested by the user, and URLs protected by the security gateway 5; the purpose of the mapping information is to hide the real internal URLs of the server machines from the client machines. The adjectives internal and external qualify the position of a machine relative to the gateway 5. Upstream from the gateway 5, no security device is present and the machines are external (outside the security device). Downstream from the gateway 5, the machines 2 are protected by the gateway 5, which intercepts and handles the security of external requests coming from external machines; the components of the system are qualified as internal. For example, as shown in FIG. 3, the mapping information indicates that the requested URL “http://www.portal.com/supp” corresponds to the protected URL “http://www.portal.supp.com/”. The address “http://www.portal.com/” is the URL of the security gateway 5; the requests from the user 8 are directed to the gateway 5, whereas the user thinks he is connected to the server “supp” of the support application. The URL of the server machine contains the URL of the gateway 5, but the user 8 is not aware of this. By typing the URL “http:// www.portal.com/supp”, the user believes he is connecting directly to the server machine “supp” that handles the support application, whereas in fact, he is connecting to the gateway having the URL “http://www.portal.com/”.

[0039] a URL collection or collections: in the example illustrated, the URL collections indicate, through appropriate link attributes, the existence of an access control list for the application whose URL is protected. In the example described, the URL collections are clearly defined: URLs in the same collection are characterized by a regular expression. For example (FIG. 3), all of the URLs characterized by the regular expression “http://www.portal.supp.com/documents/licenses/*”, in which “*” represents one or more characters of any type, are part of the same collection. The protected URL “http://www.portal.supp.com/ documents/licenses/” is part of said collection. URLs in the same collection have the same access rights to applications. Again in the example described, the entry corresponding to the collection “http://www.portal.supp.com/documents/licenses/*” comprises a link attribute to the support application, the support application comprising a link attribute to the access control list for this application. there is an access control list for the support application.

[0040] an access control list or lists: the access control lists (ACLs in FIGS. 3 and 4) stored in the storage means 12 indicate access rights of users 8 to server machines 6. In the embodiment illustrated, the access control list comprises a list of identifiers and dn's of users 8 or dn's of groups.

[0041] An account base for applications: the accounts store identifiers and user dn's as well as login names and passwords specific to the users 8 for accessing the applications in question. One entry per application is created. In each application, there is an entry containing the necessary information in the form of a list of attributes.

[0042] and/or any other information required to implement security.

[0043] In the example illustrated in FIG. 2, users 8 having similar privileges are gathered into groups.

[0044] A privilege is a security attribute of a user 8 that makes it possible to control the latter's access to a server machine 6. For example (FIG. 2), a user such as Adrien Loc is assigned the privilege “group-resa”, a privilege that authorizes him to access the reservation application.

[0045] The system 1 includes a management machine 2 b called a user management console 14, which makes it possible to enter, modify, delete, and search for the users and the groups to which they belong, and a management machine 2 h called a security management console 15, which makes it possible to enter, modify, delete, and search for the data in the security directory 13.

[0046] According to a particular embodiment of the system according to the invention, the machines 2 belong to the Web. The client machine 2 a includes a piece of browser software 15 through which the user 8 sends his requests to a site on the Web. The entry point to a set of given sites is called a portal. The portal provides a page on the web on which the owner of the site organizes and presents the information on said site in a customized way. A page on the Web (commonly called a Web page in computer literature) is a electronic document such as, for example, a text file, an image, or a video into which special codes (the tags) have been inserted, which control the structure, the appearance, the dynamic behavior, etc., of the page in software for navigating on the Web (commonly called Web browsers in computer literature). A Web browser is a piece of software used to present a document to a user, and to keep track of the relationships established between this document and other documents by means of Web links.

[0047] The gateway 5 secures the portals of the sites of the server machines 6 by intercepting and processing the requests coming from the client machines 4.

[0048] The method according to the present invention proceeds in the following way in the computer system illustrated in FIGS. 1 through 4. It should be noted that the method can be used in any other system.

[0049] The first step consists of creating the security directory 13 in the computer system 1.

[0050] The mapping information, the information related to the collections of protected URLs and the access control lists (ACLs) are entered directly by an administrator user 8 a from the security management console 15. The gateway 5 searches in the organizational directory 10 for the identifier and the dn of the user 8 in question, which are necessary for arranging the security data in the security directory.

[0051] In the example illustrated in FIG. 2, the administrator 8 a enters from the management console 14 the following data:

[0052] the mapping between the external URL “http://www.portal.com/supp” and the protected internal URL “http://www.portal.supp.com/” as well as the mapping between the external URL “<<( http://www.portal.com/resa” and the protected internal URL “http://www.portal.resa.com/”.

[0053] the URL collection characterized by the expression “http://www.portal.supp.com/documents/licenses *” is the one characterized by the expression “http://www.portal.resa.com/reservation/launch/”. Each of these URL collections has a link attribute to an access control list.

[0054] an access control list for the support application and one for the reservation application.

[0055] When the user 8 wants to subscribe to a given application, he sends the server machine 6 that manages said application an account creation request. The security gateway 5 intercepts said account creation request for the application in question. The security gateway 5 transmits to the client machine 4 a page dedicated to the opening of an account for the application in question. The user enters the information requested on said page and sends the completed page back to the server machine 6 to which the user wants to connect. The security gateway 5 intercepts said response, extracts the information entered by the user 8 and adds it to the security directory 13. To do this, it begins by searching for the user 8 in the organizational directory 10, and more particularly for his identifier and his distinguished name (dn). It creates an LDAP entry 11 in the directory 13 corresponding to the application in the branch of account bases, and an entry in the branch of accounts created corresponding to the user 8. The entry 11 of the user 8 includes the following attributes:

[0056] the unique identifier of the user (“MDupont” in the example of FIG. 3);

[0057] the unique dn of the user (Marc.Dupont/Lille/France);

[0058] the login name (Dupont) and the password (tipiti) required to access the application in question.

[0059] The security directory 13 is created partly during its installation and partly during the running of the system 1.

[0060] The security gateway 5 intercepts a request from a user 8 for access to a protected URL. The gateway 5 verifies that the user 8 has been authenticated using the method described in the patent application entitled “METHOD AND DEVICE FOR HANDLING AN AUTHENTICATION IN A COMMUNICATION USING HTTP,” filed by the present Applicant on the same day as the present application.

[0061] If the user 8 has not yet been authenticated, the security gateway 5 requests authorization of the user 8 from the client machine 2 a. The client machine 2 a presents an authentication window to the user 8. The user fills in said window, specifically indicating his identifier and the information required to form a distinguished name. The information entered is sent back to the gateway 5.

[0062] When the user has been authenticated, the security gateway 5 searches in the organizational directory 10 for the authenticated user 8, and more particularly for his unique identifier and his distinguished name.

[0063] Requests for access to a URL indicate, depending on the client machines 4, the identifier or the dn of the user 8. The use of both designations by the present device makes it possible to process all of the requests coming from client machines.

[0064] The gateway 5 verifies whether the user 8 is part of a group in the organizational directory. The gateway 5 extracts from the organizational directory 10 the unique identifier, the distinguished name of the user 8 and the name of one or more groups to which the user 8 may belong, called the groups of the user 8.

[0065] For example, if Adrien Loc wants to connect to the reservation application, the gateway 5 extracts from the directory 10 the identifier ALoc, the dn Adrien.Loc/Paris/France, and the group group-resa.

[0066] The gateway 5 searches in the security directory 13 for the mapping information attached to the URL requested by the user.

[0067] If the mapping information does not exist in the directory 13, the gateway 5 returns an error to the client machine 4: the URL does not exist.

[0068] If the mapping information is present in the directory 13, the gateway 5 retrieves the corresponding protected internal URL.

[0069] The gateway 5 searches in the security directory 13 to see whether the internal URL retrieved is part of a collection of URLs protected by an access control list.

[0070] If this is not the case, the machine 2 b considers access to the URL to be open and transmits the request for access to the internal URL retrieved.

[0071] If the internal URL retrieved is part of a collection of protected URLs, the gateway 5 consults the link attribute to an access control list. The gateway verifies that the user 8, or one or more of the user's groups, belongs to the access control list for the application in question. As seen above, the gateway has retrieved from the organizational directory 10 the identifier and the dn of the user 8 as well as the dn of the user's group or groups. The gateway searches for the user's identifier and dn or for the dn of the user's group or his various groups, if any exist, in the access control list of the application in question.

[0072] In the example of FIGS. 2 through 4, the gateway retrieves from the directory 13 of FIG. 3 the user Marc Dupont and the group group-resa of the user Adrien Loc, if Marc or Adrien have sent requests for access to the support and reservation applications, respectively, from a client machine 4. The gateway 5 deduces that Marc has the right to access the support application, and that Adrien has the right to access the reservation application, subject to an account for said applications.

[0073] If the search is unsuccessful, i.e. if neither the identifier nor the dn of the user, nor the dn of a group of the user, has been found in the access control list, the gateway 5 deduces that access is denied: an access denied response is immediately transmitted to the user 8 on the machine 2 a.

[0074] If the gateway finds the user's identifier or dn, or the dn of the group or the various groups of the user 8 in the access control list, the gateway 5 proceeds with the processing of the request by analyzing the account of the user 8, or of the group to which he belongs, for the application in question. The gateway 5 searches in the account base for the branch corresponding to the application whose URL is protected; if there is an account for this application, the gateway 5 searches in said account for the unique identifier or the distinguished name of the user retrieved from the organizational directory.

[0075] If the machine 2 b finds the unique identifier or the distinguished name in the branch of the application in question, it extracts from the security directory 13 the login name and the password required to access said application.

[0076] If the machine does not find any direct account for the user, it searches for an account listed under the name of a group of the user. If such an account is found, the machine extracts from the security directory 13 the login name and password required to access said application (in the name of the group).

[0077] In the example of FIG. 3, when Marc Dupont requests access to the support application, the gateway 5 extracts from the directory 13 the login name Dupont and the password Tipiti. In the example of FIG. 4, no account has been provided for the group group-resa or for Adrien Loc.

[0078] The gateway transmits the login name and the password of the user 8 in question to the server machine 6 whose URL is protected, followed by the request from said user. The server machine 6 receives the user's login name and password and authorizes his access. The gateway 5 performs a “Single Sign On”, i.e. a single connection procedure for a set of applications; the user is authenticated only once; his login names and passwords are not required with each access to an application. The gateway stores the login names and passwords per application for the user 8.

[0079] The present invention therefore offers a device and a method for handling security in a computer system 1 comprising an existing organizational directory 10, making it possible, upon reception of a request from an entity 8 for access to a server machine 6 of the system 1, to create or search in a security directory 13 for security data attached to said entity 8 without having to modify the existing data in the directory 10.

[0080] Hence, the present invention concerns a method for securing a system 1 comprising at least one client machine 4 and at least one server machine 6, wherein an existing organizational directory 10 lists an entity 8 by means of a unique designation, characterized in that it consists of creating a security directory 13 in which security data are stored and/or, upon reception of a request from an entity via a server machine 6, of searching in said security directory 13 for the security data related to said request and said entity 8, using the unique designation of said entity 8 found in the directory 10.

[0081] The method uses as the unique designation an identifier and a distinguished name.

[0082] The method consists of intercepting, by means of the gateway 5, all of the requests addressed to the server machine by the client machine, by sending requests to a URL of the server machine that contains the URL of the gateway.

[0083] The security data comprise:

[0084] at least one piece of information for mapping between a URL requested by the entity 8 and a protected URL, and/or

[0085] at least one URL collection, and/or

[0086] at least one access control list, and/or

[0087] at least one account for an application.

[0088] The method consists of searching in the security directory 13 for mapping information for the request in question, of returning an error to the client machine 4 if the mapping information does not exist, and of processing the request using the protected URL or performing searches for other security data if the mapping information exists.

[0089] The method consists of searching in the security directory 13 to see if there is an access control list attached to the application involved in this request, of considering access to the application to be open if no access control list is found, of searching for the entity 4 or for a group to which it belongs in the list found and denying access to the application if the entity and/or the group is absent from the list, and of processing the request or performing other searches for security data if the entity and/or the group is present in the list found.

[0090] The method consists of searching in the security directory 13 for an account for the application involved in said request in the name of the entity 4 or of a group to which it belongs, of authorizing access to said application and considering it to be anonymous if no account is found, and of processing the request with the security data of the account found or performing other searches for security data if an account is found.

[0091] The present invention also concerns a device for securing a system 1 comprising at least one client machine 4 and at least one server machine 6, wherein an existing organizational directory 10 lists an entity 8 by means of a unique designation, characterized in that it comprises a machine 2 and a security directory 13 in storage means 12, the machine 2 making it possible to create, modify, delete or search in the security directory 13 for security data, using as the security data attached to the entity 8 the unique designation found in the directory 10.

[0092] The machine 2 is a security gateway 5 placed between the client machine 4 and the server machine 6 that intercepts all of the requests addressed to the server machine by the client machine, the client machine sending requests to a URL of the server machine that contains the URL of the gateway.

[0093] The device includes a security management console 15 for entering, modifying, deleting, or searching for all or some of the security data in the directory 13.

[0094] The present invention applies to the securing of a portal, the machine 2 a including a piece of browser software through which the entity 8 sends requests to said portal. The present invention also applies to a single sign-on procedure.

[0095] The present invention relates to a program integrated into a machine 2 of a computer system 1 implementing the method according to the present invention. 

1. Method for securing a system (1) comprising at least one client machine (4) and at least one server machine (6), wherein an existing organizational directory (10) lists an entity (8) by means of a unique designation, characterized in that it consists of creating a security directory (13) in which security data are stored and/or, upon reception of a request from an entity (8) via a server machine (6), of searching in said security directory (13) for the security data related to said request and said entity (8), using the unique designation of said entity (8) found in the directory (10).
 2. Method according to claim 1, characterized in that it uses as the unique designation an identifier and a distinguished name.
 3. Method according to either of claims 1 and 2, characterized in that it consists of intercepting, by means of a gateway (5), all of the requests addressed to the server machine by the client machine, by sending requests to a URL of the server machine that contains the URL of the gateway.
 4. Method according to any of claims 1 through 3, characterized in that the security data comprise: at least one piece of information for mapping between a URL requested by the entity (8) and a protected URL, and/or at least one URL collection, and/or at least one access control list, and/or at least one account for an application.
 5. Method according to claim 4, characterized in that it consists of searching in the security directory (13) for mapping information for the request in question, of returning an error to the client machine (4) if the mapping information does not exist, and of processing the request using the protected URL or performing searches for other security data if the mapping information exists.
 6. Method according to either of claims 4 and 5, characterized in that it consists of searching in the security directory (13) to see if there is an access control list related to the application involved in this request, of considering access to said application to be open if no access control list is found, of searching for the entity (4) or for a group to which it belongs in the list found and denying access to the application if the entity and/or the group is absent from the list, and of processing the request or performing other searches for security data if the entity and/or the group is present in the list found.
 7. Method according to any of claims 4 through 6, characterized in that it consists of searching in the security directory (13) for an account for the application involved in said request in the name of the entity (4) or of a group to which it belongs, of authorizing access to said application and considering it to be anonymous if no account is found, and of processing the request with the security data of the account found or performing other searches for security data if an account is found.
 8. Device for securing a system (1) comprising at least one client machine (4) and at least one server machine (6), wherein an existing organizational directory (10) lists an entity (8) by means of a unique designation, characterized in that it comprises a machine (2) and a security directory (13) in storage means (12), the machine (2) making it possible to create, modify, delete, or search in the security directory (13) for security data, using as the security data attached to the entity (8) the unique designation found in the directory (10).
 9. Device according to claim 8, characterized in that the machine (2) is a security gateway (5) placed between the client machine (4) and the server machine (6) that intercepts all of the requests addressed to the server machine by the client machine, the client machine sending requests to a URL of the server machine that contains the URL of the gateway.
 10. Device according to either of claims 8 and 9, characterized in that it comprises a security management console (15) for entering, modifying, deleting, or searching for all or some of the security data in the directory (13).
 11. Application of the method according to any of claims 1 through 7 to the securing of a portal, the machine (2 a) including a piece of browser software through which the entity (8) sends requests to said portal.
 12. Application of the method according to any of claims 1 through 7 to a single sign-on procedure.
 13. Machine program for executing the steps of the method according to any of claims 1 through 7 when said program is run on a machine. 